Researchers Uncover Critical RubyGems Vulnerabilities

Researchers at Trustwave have uncovered critical vulnerabilities in RubyGems, the package manager for the Ruby programming language.

The first flaw, CVE-2015-3900, is a request hijacking vulnerability and has been patched.

According to Jonathan Claudius, lead security researcher at Trustwave, the vulnerability is critical because it allows a cyber-criminal to remotely execute code on Ruby users when they are trying to install a RubyGem.

"It’s trivial to exploit," he told SecurityWeek. "An attacker simply needs to poison a DNS record to gain remote code execution on a given client machine."

According to Trustwave, the RubyGems client has a 'Gem Server Discovery' feature that uses a DNS SRV request for finding a gem server. This functionality does not require that DNS replies come from the same security domain as the original gem source, which allows arbitrary redirection to attacker-controlled gem servers. As a result, an attacker could force the user to install malicious gems.

While RubyGem signing is a mitigation strategy for the issue, it is barely used in the RubyGem ecosystem, according to Trustwave. After CVE-2015-3900 was fixed, Trustwave identified CVE-2015-4020, which allows attackers to redirect users to domains that end with the original security domain - for example, an attacker-controlled rubygems.org.

The bugs could impact a significant number of users. According to Trustwave, OpenDNS security researcher Anthony Kasza found that OpenDNS sees roughly 24,000 requests for the DNS SRV record each day, meaning there are 24,000 gem installations per day discounting local system caches, gem dependencies and gem installation typos. Since OpenDNS sees about two percent of the world's Internet traffic, assuming each area of the world has the same likelihood of installing gem packages, which could mean there are 1.2 million gem installations per day across the Internet.

Ruby fixed the first vulnerability May 14th and the second one on June 8th.

As an example of an attacker scenario, Claudius said, imagine a user goes into a coffee shop with free Wi-Fi and installs Ruby-based software and either the coffee shop owner or a malicious party forges a bad DNS response that points the user to a malicious gem server.

"At that time, the user will download and install potentially Trojaned software and compromise their workstation," he said.

The issues could also be attacked in a broad, wide-sweeping DNS poisoning attack affecting the entire RubyGem ecosystem, he said.

Trustwave suggests user upgrade their RubyGem client in all of their Ruby environments to 2.4.8 or higher. In addition, verify all RubyGem sources are using HTTPS using the "gem sources" command. For gem producers, consider gem-signing, the firm recommends. Gem consumers should use the strongest gem installation trust policies supported by their gem provider, according to the firm.